Citibank discloses private information to improve security

[Peter Gutmann]

"Heyman, Michael" <Michael.Heyman at sparta.com> writes:

>In this situation, I believe that the users, through hard won experience with
>computers, _correctly_ assumed this was a false positive.

Probably not.  This issue was discussed at some length on the hcisec list,
(security usability, http://groups.yahoo.com/group/hcisec/), e.g:

-- Snip --

In my experience with helping out non-technical users, certificates are
treated as a purely boolean option, either they're valid or they're not.  In
fact usually the validity of certificates isn't even an option, either you get
a warning dialog or you don't, the actual text may as well be written in
Swahili.  People don't understand (or maybe don't want to understand) the
technical explanations that browsers throw up for them.  So an expired cert
would have the same status as one for the wrong site or a dozen other reasons
why the browser would throw up a warning.

I did some even less rigorous checking (i.e. asked a few users who were handy)
why they would have done something like this if they'd been one of the 300 and
their response was that since it was a known site that they'd dealt with
before, they'd assume it was some config error and continue anyway.  Several
of them had had similar problems with things like hotmail (that is, not SSL-
related but just general "it didn't work when I tried it" problems), where
clicking OK to get rid of warnings or waiting half an hour and trying again
had fixed things.  This was just another random site error that they would
have navigated around.

-- Snip --

For more discussion, see the list archives.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com